Recently, AttackIQ introduced two new Flex packages designed to fortify your organization’s security posture against Command and Control communications and assess the effectiveness of your Next-Generation Firewall (NGFW). If you’re not familiar with Flex, read here
Let’s dive into exactly what these entail.
Why this revolutionary new testing matters for your organization:
Packet capture replay (PCAP) technology enables customers to replay actual attack traffic using a reply between our cloud and your target asset to determine whether the in-line security controls detect and prevent the attack. This tests the efficacy of your perimeter security controls. It does this without sending malicious traffic over the wire, which can be beneficial for organizations that don’t want to spend time configuring and scheduling system downtime for their testing.
At the end of the test, users instantly get clear guidance on how to mitigate any security gaps we find.
Like other test packages in Flex, you can mix and match them to test different security controls in your environment. At less than a quarter the cost of a pentest, this makes it an efficient way of quickly assessing risk and justifying security spend.
How it Works:
AttackIQ’s PCAP replay package assesses your NGFW’s capabilities in five tests aligned with standard NGFW capabilities. The tests include:
- Anti-malware
- Application filtering
- File blocking
- Intrusion prevention
- URL filtering.
Anti-malware
Anti-malware provides built-in sandboxing and advanced malware protection that continuously analyzes file behavior to detect and eliminate threats quickly. It can leverage cloud-delivered threat intelligence to stop emerging threats.
This test contains the following scenarios:
- Download Ryuk Malware Sample
- Download Trickbot Loader Malware Sample
- Fake Chrome Update through a malicious Javascript
- Heap-based buffer overflow in Adobe Flash Player
Application filtering
Application filtering enables the firewall to identify and control thousands of applications regardless of port, protocol, or encryption. It can prevent unauthorized or risky applications from consuming bandwidth or compromising security.
This test contains the following scenarios:
- Remote Desktop (RDP) on port 443
- Remote Service Connection to AttackIQ Defense Lab using SSH on port 443
- Remote Service Connection to AttackIQ Defense Lab using Telnet on port 25
File blocking
File blocking allows the firewall to identify and control specific file types that you want to block or monitor based on the content or the name of the file. It can also block file downloads by extension or type using custom fingerprints or signatures.
This test contains the following scenarios:
- Download Portable Executable .exe file
- Download Torrent .torrent file
- Download Windows Batch .bat file
- Download Windows Registry .reg file
Intrusion prevention
Intrusion prevention integrates a best-of-breed next-generation intrusion prevention system (IPS) that can spot stealthy threats and stop them quickly. It can also use AI/ML-powered security to improve detection and response.
This test contains the following scenarios:
- Hancitor CnC Web Communication
- TrickBot (TA505) CnC Web Communication
- Taidoor CnC Web Communication
URL filtering
URL filtering allows the firewall to enforce policies on hundreds of millions of URLs and block access to malicious or inappropriate websites.
This test contains the following scenarios:
- Web Access to Gambling site PokerStars
- Web access to Gun site GunsAmerica
- Web access to Hacking site hackthissite.org
- Web access to Pornography site PornHub
Security Control Baseline – Web Communication
One of the most dangerous types of attack types is command and control (C2) communications. These are methods used by cybercriminals to control and manage their malware and compromised systems remotely. C2 communications can be used to carry out malicious activities, such as stealing data, executing commands, or moving laterally within a network, and can be challenging to detect and prevent.
Our new Flex test package simulates malware families that leverage C2 communications, such as Agent Tesla, Hancitor, and TrickBot.
This package contains the following scenarios:
- PCAP Replay – Spelevo infection with PsiXBot Command and Control traffic
- PCAP Replay – 2018-10 LokiBot HTTP Command and Control Traffic
- PCAP Replay – 2017 Qakbot HTTP Command and Control Requests
- PCAP Replay – Trevor HTTP Command and Control Activity (bing.com)
- PCAP Replay – Havoc HTTP Command and Control Activity
- PCAP Replay – Sliver HTTP Command and Control Activity
- PCAP Replay – Empire HTTP Command and Control Activity
- PCAP Replay – Hancitor CnC Web Communication
- PCAP Replay – 2018-08 Trickbot Stage Downloader (table.png)
- PCAP Replay – 2022-07 Agent Tesla Command and Control over HTTP
Wrap-up
AttackIQ’s PCAP replay Flex packages not only provide organizations with a comprehensive assessment of their NGFW’s security posture but also help identify potential security gaps in C2 communications. It helps organizations optimize their NGFW’s configuration and deployment to achieve the best results while giving recommendations on improving their security posture against C2 communications and other potential threats.
Sign up for your free plan today and give these tests a try!
